[OWASP-TESTING] Comment on testing guide and contrib for part 2

Orac orac at uncon.org
Wed Aug 4 07:59:45 EDT 2004

I agree OWASP is definitely leading the charge on web application 
security and that has proved to be a good thing.

There's always a but.... but, a lot of the leading stuff that OWASP 
provides is going to take years to filter down through the 3rd party 
software vendors to the end user organisations (Especially if they 
don't do much development in-house).  We are doing our bit by making 
sure that our suppliers are aware of the OWASP guide and by publishing 
our own standard requirements to them (including informally training 
their developers in way too many cases) but for many vendors and many 
applications (especially line-of-business applications behind the 
perimeter) there is a perception that security isn't an important part 
of the sale which will change but will take longer.

We're not in the financial sector which I know from previous experience 
is a lot further along in their externally-facing applications but 
generally not much better on their internal applications.

The OWASP guide is useful to me in my role as a vendor independent 
standard with which I can explain to the business why they need these 
arcane things like input validation and the rest.

I suggest it would be useful to provide a certain level of guidance 
over the level and types of testing of 3rd party apps from the end user 
point of view. That becomes a strong supporting case for convincing the 
business that these things should be done.

It's kind of like pushing at both ends of the system development scale, 
currently OWASP does a good and important job of pushing developer 
understanding and SDLC best practice whereas we are pushing vendors for 
secure code to be delivered to us post SDLC. Hopefully we meet in the 
middle at some point.

A teleconference sounds good, I am on UK time so no 2am calls please :)



On 4 Aug 2004, at 12:29, Mark Curphey wrote:

> I hear what you are saying but running a web app scanner on a web app 
> is like testing a cars safety by front impact testing only. What 
> happens to side impacts? Rear impacts ? What happens to roll safety? 
> Is it flame proof? Do the seats give off cyanide when set alight? Do 
> the seat belts work? I am not saying they dont have place; you 
> articulate some reasons why they may be appropriate but they are very 
> very limited and very very innacurate.
> We have to be careful to set the pace and say what SHOULD be done 
> rather than WHAT is done today. OWASP has the ability to lead the 
> market into doing the right thing. Thats part of the beauty of it and 
> part of our duty in my opinion.
> As I can't type as fast as my stomach wants me to move to the 
> breakfast room, how about a teleconference next week to debate this 
> whole issue ?BTW
> I have an ASP.NET C# parser I wrote that is shaping up. The major code 
> review players (Fortify, Ounce and Coverity) are all working on Java 
> and ASP.NET modules for their platforms.

More information about the Owasp-testing mailing list